By Jim Shagawat, founder of Windfall Wealth™
In March of 2014, the Security and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) sponsored a cybersecurity roundtable discussing the importance of protecting the market and customer data from cyber-threats. The Chair of the SEC, Mary Jo White emphasized the “compelling need for stronger partnerships between the government and private sector” to address cyber threats.
In December of 2013 as we recall Target was breached to the tune of some estimated 110 million customers having their credit cards compromised and the need to have them reissued by banks. Commissioner Luis Aguilar stating this among a list of other reasons it was best to have this roundtable, including how several large banks had many denial-of-service attacks with their websites taken down. Additionally, several government agencies have had cyber-attacks as well as financial institutions and his concerns on how they have become “more frequent and sophisticated.”
Let us not forget how one of the government agencies, the Office of Personnel Management (OPM) back in 2012 and 2014 experienced a couple of different attacks and subsequently had an estimated 22 million records of current and former federal employee’s personal information exposed. The inspector general released a blunt statement including how the OPM lacked encryption, failed to use two-factor information to gain access to highly confidential information and was unaware of all the systems connected to the network.
While we could conclude most of us are not huge fans of regulations, the roundtable at the time was an important step to help outline a list of items to help firms regulated by SEC with recommendations on how to prevent a cyber breach within the Registered Investment Advisor (RIA) industry. Many RIA’s are small firms without the knowledge, staffing or expertise to know how best to protect our firms or our client data from being compromised.
The results of the roundtable concluded with the OCIE tasked with examining 50 firms focusing on cybersecurity as well as helpful cybersecurity guidelines including what will be reviewed during the examinations and how they best can stay in compliance. The guidelines were developed using the National Institute of Standards in Technology (NIST) Cybersecurity Framework and quite comprehensive.
The guidelines included five areas of concern including:
- Identification of Risks and Cybersecurity Governance,
- Protection of Firm Networks and Information,
- Risks Associated with Remote Customer Access and Funds Transfer Requests,
- Risks Associated with Vendors and Other Third Parties and
- Detection of Unauthorized Activity.
Let’s review some more specifics for each of these areas and then a summary of the OCIE’s findings upon completion of the examines.
First, it is critical each firm has a writing information security policy and business continuance plan which are part of governance and a person responsible as the Chief Information Security Officer (CISO). All the company devices, software, and network should be inventoried and documented. It is recommended that a security assessment is performed and documented with the level of risk and appropriate steps to mitigate any moderate or high risks. Lastly, it is recommended the firm maintain cybersecurity insurance that will cover any losses or exposures because of a cybersecurity incident.
Covered under the second area of focus includes confirmation that each firm has a documented security awareness training program, including dates, topics, and each employee participate. Additionally, how is access limited to least restrictive privileges, meaning access to only information and software applications employees absolutely need to perform their job. Does the firm address and allow removable media and have a data destruction policy? Encryption is recommended for both communication and mobile devices, essentially for confidential data in motion and at rest. Finally, are backups checked and tested regularly and systems patched with critical security patches and documented appropriately?
The RIA industry manages personal and confidential relationships with our clients and it comes as no surprise guidance for customer access and funds transfer request is addressed by the OCIE. It is important a documented process is clear and followed by each firm for items such as; balance inquiries, contact information changes, beneficiary changes, transfers or withdrawal of funds and how customers are authenticated for any online access. Also addressed is how verification is completed for a request by email for a client asking to transfer funds.
It seems all too obvious not to transfer funds without some other form of verification, yet how often victims blindly transfer money to the wrong account by being duped by a cyber-criminal.
Since many firms are small and cannot typically afford a full-time technology position, most outsource this function to third-party vendors and as such, appropriate due diligence is taken when deciding on a technology partner. The Target breach mentioned at the beginning of this article was because of a third party and poor network segmentation, therefore, it is important the process is documented thoroughly for selecting third-party vendor(s) and confirm controls are in place to prevent and unauthorized access.
Finally, while important to have documented policies and procedures in place, even more, critical is an awareness for any unauthorized activity. This part of the guidance provided by the OCIE includes monitoring third-party access, monitoring the network and physical devices for potential cybersecurity events and for any unauthorized devices, connections and software installed. Additionally, conducting routine penetrations test and vulnerability scans to identify security risks and improve the firm’s policies and defenses.
In August of 2017, the OCIE reported their findings after the review and examination of 75 firms. Most of the firms did conduct periodic assessments to identify cybersecurity threats and vulnerabilities and the majority conducted penetration tests and vulnerability scans. Many of the companies had processes in place to ensure regular security patching and updates, yet a significant number of system patches and security updates had not been installed.
While most firms had incident response plans in place to notify customers of any material event, nearly two-thirds of them failed to maintain such plans. As far as dealing with any fund transfer requests, all the companies examined maintained policies and procedures verifying the authenticity of the person making the request, yet the policies were confusing making unclear at times whether some activities were permissible.
There were many additional issues noted in the reported observations that are of importance to note, such as while most all had written policies and procedures for cybersecurity protections, most were general guidelines and limited in scope or too vague to implement the policies. Other shortcomings of note included, while each firm required cybersecurity awareness training, they did not actually ensure the training occurred or take any action for those not completing the training.
Outdated risk assessments, as well as running operating systems which were no longer supported, were also cited by the examiners. Finally, even though firms did have routine penetration tests and vulnerability scans, many did not remedy high-risk findings in a timely matter, which defeats the purpose of running these tests.
Even though it is impossible to regulate against a cybersecurity breach, the guidelines provided by the SEC roundtable properly implemented can reduce the likelihood of a breach. However, if your cybersecurity program is padded with worthless policies and procedures that are not followed, enforced, updated or easy for employees to understand, be on the lookout for the cyber-criminals who are experts on how to exploit vulnerabilities.
Take these regulations seriously and find a professional to help implement them. These are practical regulations built on the foundation of the NIST guidelines. RIA’s are a fiduciary to our clients and we must to always look out for the best interest of our clients, therefore not having an effective cybersecurity program would be neglecting our responsibilities.
About the Authors
Jim Shagawat is the founder of Windfall Wealth™ Advisors, a financial planning firm that specializes in helping recipients of sudden wealth take back control of their finances with confidence visit https://www.windfallwealthadvisors.com. Too frequently I’ve seen people make honest mistakes, get mistreated, and go through their sudden wealth before they realize it. I can’t stand by and watch this happen and am determined to make sure it doesn’t happen to you. This isn’t just my job, it’s a personal mission. I created Windfall Wealth™ Advisors and our exclusive Windfall Wealth™ Process to enable people to take the bold leap towards the life they’ve always dreamed of, safe in the knowledge that they have a capable and trustworthy advocate to guide them on their journey. Empowering clients to evolve from feeling confused and intimidated by their wealth, to become confident and in control is what drives me every day. No stone goes unturned in my efforts. I am highly trained in financial planning and wealth management and am CFP®, MBA, ChFC®, and NAPFA accredited. I also hold a Masters in Business Administration, Finance and Marketing from Rutgers University Newark. When I’m not helping clients live better lives you’ll find me at home in New Jersey with my wonderful wife, Eve, and our two teenage children. When I manage to steal a quiet moment to myself, I love listening to music and playing my saxophone.